Gargamel - Smurf Detection Script

[tec27]

I've completed the smurf detection script I was working on yesterday, and I figured someone else may find it useful so I've decided to post it here. For those who don't know, smurfs are basically people playing under names that are not their originals. This script detects vaporId's that are associated with multiple names or IP addresses and names that are associated with multiple vaporId's. This should find every instance of someone playing under multiple names (and also generates false positives for multiple people playing from the same network, but that is easily manually checked).

Anyway, here's the script:
http://avantageous.com/gargamel.rb

It's written in ruby, so you'll obviously need to have that installed to use it. Using it is fairly simple, just pass it the path to your Altitude log directory (and maybe redirect its output to a file, cause its fairly long). After that it'll run through all your log files and analyze them for you.

I plan on updating it soon to allow specifying a time range to limit analysis to, and I'll let you guys know when that happens.

Note: this script is intended for use by people running servers, not people who only use the client.

[DiogenesDog]

awesome name for this utility.

[Vi*]

ahahhaa I agree with Dio

[phong]

Wouldn't it be easier to just script it in a bash or bat file? There are plenty of built in utilities to parse logs like this without having to install ruby

[Rechtschaffen]

Quote:

Originally Posted by phong

Wouldn't it be easier to just script it in a bash or bat file? There are plenty of built in utilities to parse logs like this without having to install ruby

Well, I'd just jack it into the codematrix and reconfigulate it as FORTRAN 2000.

[phong]

If fortan still ran natively I'd give it thumbs up

[phong]

Script to pull all the ip connections per vaporid, could easily add names as well. I'm pretty sure lam will have a fix for nicknames soon.

Code:

#!/bin/sh
# ipscan.sh
# Usage: ipscan.sh ServerLogFile

tmpfile=$RANDOM".tmp";

grep 'Handling join request' $1 | awk '{ print $11 }' | sed 's/.*\(vaporId=\)//' | sed 's/,//' | sort -u > $tmpfile

exec 3<&0
exec 0<$tmpfile

while read line
do
        echo "Vapor ID: "$line
        echo "################## IP Connections ######################"
        grep 'Handling join request' $1 | grep $line | awk '{ print $9}' | sed 's/\([^.]*\.[^.]*\.[^.]*\)\..*/\1/' | sort -u
        echo "##################### Nicknames ########################"
        grep 'Handling join request' $1 | grep $line | sed 's/.*\(nickName=\)//' | sed 's/\(, loggedIn=\).*//' | sort -u
        echo ""
done
exec 0<&3

# Cleanup
rm $tmpfile;
exit 0

edit - added nicknames also. This could be cleaned up more but I'm bad with sed.

[ham]

oh my god, the name is hilarious

[Rechtschaffen]

Quote:

Originally Posted by ham

oh my god, the name is hilarious

Correction: the name is 'Gargamel'.

[mikesol]

I appreciate the fact there's another Ruby programmer out there - I have met very few people who do anything in Ruby.

[Triped]

Quote:

Originally Posted by mikesol

I appreciate the fact there's another Ruby programmer out there - I have met very few people who do anything in Ruby.

Well, not everyone likes sites that can't scale.

[tec27]

Quote:

Originally Posted by mikesol

I appreciate the fact there's another Ruby programmer out there - I have met very few people who do anything in Ruby.

I haven't done very much in it. I fooled around with it a while back and I enjoyed using it, so I decided that this script was a good excuse to use it some more

[mikesol]

Quote:

Originally Posted by Triped

Well, not everyone likes sites that can't scale.

My girlfriend has spent the summer working on a ridiculously huge website with tons of databases and it's mostly done in Ruby. Ruby can scale if you know what you're doing =P